Cybercrime is increasingly conducted by a highly specialised chain of software break-in experts, underground market-makers and buy-side fraudsters who convert stolen passwords and identities into financial gains. Criminals can keep data for months or even years before using it to defraud victims.
The study, entitled "The Internet Organised Crime Threat Assessment" by the EU's criminal intelligence agency, says because laws limit how much data can be held and for how long, police cannot effectively trace and prosecute criminals.
Tougher laws for investigating and prosecuting cybercrime also need to be harmonised across the bloc, the report said.
"The majority of intelligence and evidence for cyber investigations comes from private industry. With no data retention, there can be no attribution and therefore no prosecutions," says Europol of criminals who often operate beyond EU borders in Eastern Europe and beyond.
Europol also says the pool of cyberfraudsters is growing.
"Entry barriers into cybercrime are being lowered, allowing those lacking technical expertise including traditional organised crime groups to venture into cybercrime by purchasing the skills and tools they lack," it said.
While providing no specific numbers, the agency says that the scale of financial losses due to online fraud has surpassed damages to payment from physical credit and other payment cards. Losses are huge, not just for card issuers but also for airlines, hotels and online retailers, the report states.
In other recommendations, it also warns about the abuse of anonymous virtual currency schemes such as Bitcoin, pointing to a "considerable challenge in tracking such transactions or even identifying activities such as money laundering".
The agency highlights the role of anonymous, private networks, known as Darknets, in enabling a vast underground trade in drugs, weapons, stolen goods, stolen personal and payment card data, forged documents and child pornography.
Europol's report capitalises on a growing body of literature from academic and private sector cyber threat researchers that have traced the rise of such online criminal marketplaces trading in billions of personal financial details.
"The future is already here"
Cybercriminals are cashing in on the latest Internet trends such as Big Data, Cloud Computing and The Internet of Things, allowing them to rent massive computing power to analyse vast troves of data gathered from the ever-expanding range of connected devices in homes, cars and on consumers themselves.
For example, the report finds that "Big Data" predictive software is now used by criminals to identify the most lucrative targets for credit card fraud and to improve methods of tricking consumers into divulging more personal data for later attacks.
"The future is already here," the Europol study states.
The agency describes the rise of what it labels "Crime-as-a-Service", running illicit activities via a network of independent suppliers, mimicking parts of the "Software as a Service" playbook that drives top Web companies, including Salesforce, Amazon.com and Google.
Crime-as-a-Service offerings include:
Data as a service collects huge volumes of compromised financial data such as credit cards and bank account details and bundles it with standard personal ID info. Such specialisation allows the massive automation of both online and offline fraud.
Pay-per-install, another service, is a means of distributing malware to comprised computers, by country or demographic, expediting both online and offline fraud because it frees fraudsters from having to steal personal data themselves.
Translation services, in which native speakers are hired to convert phishing or spam attacks written in one language into convincing, grammatically correct scripts in other tongues.
Money laundering services act as bridges to cash out from digital or physical world financial systems, often using money mules as go-betweens.
© Thomson Reuters 2014